I'm a technology, privacy, and information security reporter and most recently the author of the book This Machine Kills Secrets, a chronicle of the history and future of information leaks, from the Pentagon Papers to WikiLeaks and beyond.
I've covered the hacker beat for Forbes since 2007, with frequent detours into digital miscellania like switches, servers, supercomputers, search, e-books, online censorship, robots, and China. My favorite stories are the ones where non-fiction resembles science fiction. My favorite sources usually have the word "research" in their titles.
Since I joined Forbes, this job has taken me from an autonomous car race in the California desert all the way to Beijing, where I wrote the first English-language cover story on the Chinese search billionaire Robin Li for Forbes Asia. Black hats, white hats, cyborgs, cyberspies, idiot savants and even CEOs are welcome to email me at agreenberg (at) forbes.com. My PGP public key can be found here.

On Thursday, Verizon released its annual Data Breach Investigations Report, [PDF here] the largest study of its kind, and one that delves into data from hundreds of the company’s breach responses, along with those performed by law enforcement agencies including the U.S. Secret Service as well as Australian, Dutch, U.K. and Irish police. The result of this year’s study is clear enough: In 2011, hacktivists made their presence felt in the world of information security more than ever before, and by some measures even more than the financial criminals who usually dominate data breach statistics.

Of the 855 breach incidents from the last year that Verizon’s security team analyzed, three percent were attributed to “hacktivists.” That may seem like a small proportion, but Verizon’s director of security research Wade Baker says it’s giant compared to the same category in previous studies, which barely created a blip on Verizon’s radar last year and accounted for less than one percent of incidents. Narrow the field of victims to only large organizations, which hackers within Anonymous and its splinters target for maximum exposure, and the number of hacktivist incidents rises to 25%.

But the real impact of last year’s radical hacktivism can be seen in the numbers of actual compromised records–each one representing data attached to an individual. Of the 177 million records stolen by hackers over the last year, 100 million were taken by hacktivists. The stats don’t even include common hacktivist techniques like website takedowns with denial of service attacks or defacements, instead focusing only on actual data theft.

Of those data-stealing hacktivist attacks, the vast majority were the work of Anonymous or one of the movement’s subgroups, says Bryan Sartin, vice president of Verizon’s RISK security group. “At least three out of four were Anonymous, where a group like LulzSec or a message saying ‘We are Legion’ claimed credit.”

Certainly hacktivism isn’t a new phenomenon. The report attributes the term to the Cult of the Dead Cow hacker group from the late 1990s. But Verizon’s analysts write that hackers previously limited their attacks to defacements and website takedowns, not mass data theft. ”Data theft as a tool of hacktivism was one of the most damaging things they could do,” says Baker. “And they were very successful at it.”

Verizon doesn’t break its numbers down into specific incidents, but the exploits of Anonymous, and specifically its submovements like LulzSec and Antisec over the last year certainly seem to have produced enough breaches to account for Verizon’s figures. LulzSec, for instance, went on a rampage last spring that began with its dump of 73,000 names of contestants on the U.K. television show the X-Factor and followed up with hacks of Sony, a handful of video game companies, porn sites, and defense contractors. Each attack led to releases of tens or hundreds of thousands of users’ information, and one package the group released of random stolen leftovers was thought to contain around 750,000 users’ data.

Verizon’s Baker notes that the hacktivist attacks the study analyzed show a lower number of skilled attacks on targets that produced a higher volume of stolen data when compared to the tactics of typical financially-motivated cybercriminals. Baker says profit-motivated hackers were far more likely in 2011 to attack small firms such as the franchises of retail corporations, reproducing their low-volume thefts again and again. That finding echoes the results of another report released by the security firm Trustwave earlier this year, which stated that one third of the breaches it investigated targeted franchises.

Because hacktivists were targeting larger organizations and seeking publicity rather than silent, profitable theft from easy targets, they used some tactics that Verizon says it had rarely seen before: DNS tunneling, for instance, which exploits a target’s servers that convert IP addresses to domain names as an entrypoint into its networks, or denial of service attacks that served as a distraction while the attackers simultaneously penetrated another part of the network. In close to 75% of cases, hacktivist targets were warned ahead of time that they would face an attack, a tactic that rarely if ever is used by financially-motivated hackers.

“They definitely demonstrated different modes, and in many cases a lot more sophistication,” Baker says.

The full study contains more data and trends in the last year’s hacking incidents, and is definitely worth checking out. I’ve embedded the full report below.

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.

Comments

Can you please refrain from using such distasteful jargon to identify a global community of people trying to protect what little freedoms they have, as “radical.”

At one point in time those who have shaped and excelled our beliefs for the betterment of humanity were once deemed as radicals. After centuries of bloodshed their ideas and discoveries are what we know, believe, and apply every day. What we aim to do is take our conscious-awareness to the next level, only this time we have what little power of voice and information to spread the message and obtain our goals in a PEACEFUL manner. NO blood will ever be shed by the people for the people.

Anonymous isn’t perfect, and there are many well-intentioned people who are activists therein, and there are also some people who do horrible things to peoples lives for the lulz. Painting with a broad brush isn’t fair, but there are some legitimate assaults on innocent people. Yeah, most online privacy issues can be prevented by common sense. Particularly problematic for many people is seeing how they post personal information on social media, neglect to use privacy settings, and are surprised when their personal information is stolen weeks later. While you can be careful about what you post about yourself, you can’t prevent other people from posting about you. Also problematic for people is how there are sites like http://www.dirtyphonebook.com where people post personal information about each that can’t be removed. With Google making all of this information widely available, being vigilant about seeing what people can find out you is critical to maintaining your online reputation. Facebook can do a bit more to prevent people from accidentally messing up their own lives by encouraging more sensible defaults, but in the end people have to be smart about what they post about themselves online, and this doesn’t solve all potential problems. But I think that as long as Anonymous indirectly harms innocent people, they’ll continue to get criticism. Government and other targets like that are fair game, but when people are harmed through the internet that’s where you have to draw the line.

You should get to know anonymous beyond what you read in the news before glorifying them. I support anonymous and have been involved in the hacktivist community going back before anonymous was around but the majority of people involved are kids who get a kick out of causing trouble. They’re pranksters with a political bent not the vanguard of some kind of shift in global consciousness

Yes hactivism, the real threat to data. Never mind that most breaches were highly publicized by the hacktivists compared to hacks done by real criminals that tell no one and based on many previous reports over the years are extremely likely to go unreported to authorities regardless of current disclosure laws. Also how much easier would it be for the companies to claim that “Anonymous did it” verses revealing that the real thieves were actual criminals overseas? That would certainly seem less severe of a breach and and would spare the company a costly and extensive investigation. Additionally if I were a hacker you bet I would be pinning the blame on Anonymous by leaving a note in the systems I broke into. I would love to see a report on how many of these breaches Anonymous and Co. take credit for verses the number of breaches said to have been perpetrated by them, seeing as they do not seem shy in letting people know who the hacked.

Hey Anonos, I agree that there is likely a bias toward the hacktivist numbers in terms of breached records, given that it can be tough to gauge how many records were compromised in a breach if it’s not publicly stated (and published, as hacktivists tend to do). But I don’t agree that there’s a bias towards the detection of these breaches. Verizon’s study didn’t depend on public notice of breaches or breach disclosure laws. It used data from its own investigations of breaches on behalf of clients, which usually are kept under wraps with non-disclosure agreements. It also used law enforcement data from around the world, which similarly doesn’t depend on a breach being publicized. Law enforcement and breach response firms both frequently work on cases that aren’t publicly described.

As for your comment about “pinning the blame” on Anonymous, you’re right that this probably happens. While that’s a real issue, the underlying problem in measurement is that Anonymous has no distinct boundaries. It’s tough to disclaim even financially-motivated attacks from being part of Anonymous when the movement leaves itself open to anyone who wants to use its brand.

The disclosure laws portion of my comment may have been misleading. I was stating the fact that many of companies don’t report these incidents AT ALL to authorities due to the perceived damage reporting this would do. Being in the IT industry I have heard my share of stories about breaches occurring and going unreported, but the issue of how many breaches occur and how many are reported is a different discussion.

PWC has focused on another aspect of security — breaches caused by employees using their own devices for work. The report, which it will release at Infosecurity Europe next week, says that 84 percent of large organizations reported security breaches caused by staff including 47 percent who lost or leaked confidential information. Only 39 percent of organizations encrypt data downloads to smart phones and tablets. More than half of small organizations don’t have security awareness programs, although it is better at large firms where only 38 percent don’t.